LimitRange

A limit range provides a mechanism to enforce min/max limits placed on resources
in a Kubernetes
namespace.

By adding a limit range to your namespace, you can enforce the minimum and
maximum amount of CPU and Memory consumed by an individual pod or container.

ResourceQuota

Kubernetes can limit both the number of objects created in a
namespace, and the
total amount of resources requested across objects in a namespace. This
facilitates sharing of a single Kubernetes cluster by several teams, each in a
namespace, as a mechanism of preventing one team from starving another team of
cluster resources.

Secret

Secrets are storage for sensitive
information, such as keys, passwords, and certificates. They are accessible by
the intended pod(s), but held separately from their definitions.

PersistentVolume

A persistent volume is an object
(PersistentVolume) in the infrastructure provisioned by the cluster
administrator. Persistent volumes provide durable storage for stateful
applications.

PersistentVolumeClaim

A PersistentVolumeClaim object is a
request for storage by a pod
author. Kubernetes matches the claim against the pool of available volumes and
binds them together. The claim is then used as a volume by a pod. Kubernetes
makes sure the volume is available on the same node as the pod that requires it.

Custom Resources

A custom resource is an extension of the Kubernetes API that extends the API or allows you to
introduce your own API into a project or a cluster.

When respondWithChallenges is set to true, unauthenticated requests to
/oauth/authorize will result in WWW-Authenticate challenges, if supported by
the configured authentication methods.

4

The value in the secret parameter is used as the client_secret parameter
in an authorization code flow.

5

One or more absolute URIs can be placed in the redirectURIs section. The
redirect_uri parameter sent with authorization requests must be prefixed by
one of the specified redirectURIs.

The accessTokenMaxAgeSeconds value overrides the
default accessTokenMaxAgeSeconds value in the master configuration file
for individual OAuth clients. Setting this value for a client allows long-lived access tokens for that client without affecting the lifetime of other clients.

If null, the default value in the master configuration file is used.

If set to 0, the token will not expire.

If set to a value greater than 0, tokens issued for that client are given the specified expiration time. For example, accessTokenMaxAgeSeconds: 172800 would cause the token to expire 48 hours after being issued.

OAuthClientAuthorization

An OAuthClientAuthorization represents an approval by a User for a
particular OAuthClient to be given an OAuthAccessToken with particular
scopes.

Creation of OAuthClientAuthorization objects is done during an
authorization request to the OAuth server.

name is the token name, which is used as a bearer token to authenticate to
the API.

2

The clientName value is the OAuthClient that requested this token.

3

The expiresIn value is the expiration in seconds from the
creationTimestamp.

4

The redirectURI is where the user was redirected to during the
authorization flow that resulted in this token.

5

userName represents the User this token allows authentication as.

6

userUID represents the User this token allows authentication as.

7

authorizeToken is the name of the OAuthAuthorizationToken used to obtain
this token, if any.

User Objects

Identity

When a user logs into OKD, they do so using a configured
identity
provider.
This determines the user’s identity, and provides that information to
OKD.

OKD then looks for a UserIdentityMapping for that Identity:

If the identity provider is configured with the lookup mapping method, for example,
if you are using an external LDAP system, this automatic mapping is not performed.
You must create the mapping manually. For more information,
see Lookup Mapping Method.

If the Identity already exists, but is not mapped to a User, login
fails.

If the Identity already exists, and is mapped to a User, the user is
given an OAuthAccessToken for the mapped User.

If the Identity does not exist, an Identity, User, and
UserIdentityMapping are created, and the user is given an
OAuthAccessToken for the mapped User.